Re: re nat masquerade router

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Have you tried the config file I sent you for /etc/sysconfig/iptables
earlier? I tested it on my Fedora Core 2 box and confirmed that it
works fine in Fedora.

Erik

On Tue, 15 Jun 2004 14:51:06 -0400, fedora
<fedora@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> Thanks for your help so far-
> still no luck with the Host web browser.
> 
> 1_ How should I enter that last -s !?
> #"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP "  ...?
> 
> 2_ Here's what I have done so far...
> 
> a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1
> successfully without packet loss.
> 
> b) removed default gateway for router eth1 (thanks rodolfo paiz)
> c) edited /etc/hosts (thanks rodolfo paiz)
> 
> d) flushed rules and reset, without the "-s !"
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
> # iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
> 
> e) checked it worked
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> ACCEPT     all  --  192.168.0.0/16       anywhere
> ACCEPT     all  --  anywhere             192.168.0.0/16
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ftp
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
> 
> f) restart nw
> # /etc/init.d/network restart
> Shutting down interface eth0:                              [  OK  ]
> Shutting down interface eth1:                              [  OK  ]
> Shutting down loopback interface:                          [  OK  ]
> Disabling IPv4 packet forwarding:                          [  OK  ]
> Setting network parameters:                                [  OK  ]
> Bringing up loopback interface:                            [  OK  ]
> Bringing up interface eth0:                                [  OK  ]
> Bringing up interface eth1:                                [  OK  ]
> 
> Result: Still no luck with web browser from Host.
> 
> anything else I should try?
> Or go straight to another tool, as others have suggested?
> Thanks to all other suggestions,
> 
> Chris
> 
> <original message>
> Subject: Re: nat masquerade router
> To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
> Message-ID: <1087321492.3543.75.camel@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
> 
> > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not
> a 16
> > bit ( 255.255.0.0 )
> > It would be your firewall rules that are blocking you.....
> 
> Right.
> 
> > These two lines......
> > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> > -d 192.168.0.0/16 -j ACCEPT
> > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> >
> > the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> > the way it's writen, you drop everthing on your subnet.
> 
> No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
> net. He is just bit more permissive than it needs. But does no harm.
> 
> What is causing the blocking is:
> 
> iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> 
> It drops all incoming traffic not being from the private address range.
> Thus packages from public internet are dropped.
> 
> What you intend is better placed to the INPUT chain.
> 
> > Michael Floyd
> 
> Alexander
> </original message>
> 
> 
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux